Redhat – Some AD Users are missing supplemental groups on RHEL Linux

active-directoryredhatsssd

My organization is trying to join our RHEL/CentOS 7 servers to our Microsoft AD domain. The domain controllers consist of 2x Windows 2008R2 servers and 1x Windows 2016 server.

On the Linux side, I'm using realm to join to the domain, which I've managed to do successfully:

# realm list
mydomain.net
  type: kerberos
  realm-name: MYDOMAIN.NET
  domain-name: mydomain.net
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U@mydomain.net
  login-policy: allow-realm-logins

I would like to permit only members of a certain group access to SSH:

# realm permit -g mygroup@mydomain.net

That's when I encounter problems. When tested on two users, userA & userB, userA is allowed in, but userB is denied. The /var/log/sssd/sssd_mydomain.net.log file reveals that userB has no supplemental groups:

(Tue Sep 19 20:53:37 2017) [sssd[be[mydomain.net]]] [simple_access_check_send] (0x0200): Simple access check for userB@mydomain.net
(Tue Sep 19 20:53:37 2017) [sssd[be[mydomain.net]]] [simple_check_get_groups_send] (0x0400): User userB@mydomain.net is a member of 0 supplemental groups
(Tue Sep 19 20:53:37 2017) [sssd[be[mydomain.net]]] [simple_check_get_groups_send] (0x0400): All groups had name attribute

Or rather, it does, but none that SSSD can see. The following commands confirm that:

# id userA@mydomain.net
uid=1918001261(userA@mydomain.net) gid=1918000513(domain users@mydomain.net) groups=1918000513(domain users@mydomain.net),1918001757(devops_aws@mydomain.net),1918003900(sccm administrators@mydomain.net),1918004006(ts remote desktop users@mydomain.net),1918004329(macbook_users@mydomain.net)
# id userB@mydomain.net
uid=1918003883(userB@mydomain.net) gid=1918000513(domain users@mydomain.net) groups=1918000513(domain users@mydomain.net)

Eventually, we found out that userA has the adminCount attribute set to 1 in its AD/LDAP object. I'm not entirely sure what implications this attribute has, but it seems to be the reason why SSSD can find all of its supplemental groups and consequently it has found none for userB.

Any help would be greatly appreciated! I have been banging my head on this problem for a long, long time.

/etc/sssd/sssd.conf

[sssd]
domains = mydomain.net
config_file_version = 2
services = nss, pam

[domain/mydomain.net]
ad_domain = mydomain.net
krb5_realm = MYDOMAIN.NET
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = mygroup@mydomain.net
debug = 6

Best Answer

I figured out the issue when I read the SSSD Troubleshooting guide. In the guide, it briefly mentions:

If you use a non-standard LDAP search bases, please disable the TokenGroups performance enhancement by setting ldap_use_tokengroups=False. Otherwise, the AD provider would receive the group membership via a special call that is not restricted by the custom search base which causes unpredictable results

And in the blog post Restrict the set of groups the user is a member of with SSSD, a bit more is explained about TokenGroups:

The first step is to make the client look up the groups the user is a member of using plain LDAP lookups instead of looking up the AD-specific tokenGroups attribute. Normally, if all groups are to be returned, using the tokenGroups attribute provides a significant performance benefit, because the list of all groups is a member of can be returned with a single BASE-scoped search of the user entry. However, the tokenGroups attribute is a multi-valued list of SIDs the user is a member of and as said earlier, all the SIDs would have to be resolved into group names anyway.

It seems TokenGroups are an optimization technique, which is enabled by default, in resolving a user's groups. However, as these articles have alluded, it may prove problematic, as it did in my case.

The issue was fixed by simply setting the parameter to false:

[domain/mydomain.net]
ldap_use_tokengroups = false

in my sssd.conf file.

Related Solutions

Ldap – CentOS 6 SSSD SSH/Console Login Issues

According to that log, it looks like SSSD's LDAP provider crashed and had to be restarted. That's why you got access-denied.

See specifically:

(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND]
(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [simple_bind_done] (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1].

and then it goes to

(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb
(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first

Those lines indicate that the server is starting up again. At a guess, I'd say something went wrong while processing the ldap password policy on the client, since the last thing before it crashed was a reference to the LDAP code for the ldap_pwd_exop.

Check /var/log/messages for indications of a crash and file a bug with CentOS. Ideally, install the debuginfo for the sssd, openldap and ding-libs packages, then attach to the sssd_be process with gdb and get a backtrace of the crash to include in the bug report.

Samba – Unable to Join Domain Using Samba Tool Net or Realm/SSSD

Why are you using net? You should join the domain with samba-tool

samba-tool domain join domain.example.org DC -Uadministrator --realm=domain.example.org

net isn't really used in samba 4 anymore except for shares and some other stuff.
Don't mess with kerberos cryptographic settings.

/etc/sssd/sssd.conf

Best Answer

Related Solutions

Ldap – CentOS 6 SSSD SSH/Console Login Issues

Samba – Unable to Join Domain Using Samba Tool Net or Realm/SSSD

Related Topic